Hi,

hope this is helpful :)

generally there are two choices - certificate based or key token based (e.g.
RSA SecurID)

in first place such form of custom authentication takes place in IIS -for
certificates this is part of the SSL handshake, IIRC RSA is split into an
ISAPI filter and a .NET library (Joe has more info on that)

If you choose certificates -the physical storage location does not matter
- the certificate could be deployed to the clients machine or a smart card.

These custom mechanism can be used instead or in addition to application
authentication logic like forms authentication.

The next question is - which client scenarios do you want to enable -

if you require certs then the client will not be able to use public terminals
- which may be exactly what you want
RSA SecurID generates one-time passwords - so even if you use a public terminal
that has a keylogger installed - the logged password is useless

For the certificates based approach you don't need any special hardware -
any Windows supported smart card reader will do and IIS includes all functionality
out of the box to enabled client cert authentication on the server side.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

Anyone have suggestions for biometric or smart card or key fob or [whatever
else] authentication of a future public facing website? For example, a
customer could do something to authenticate themselves and the computer
passes some data in the background of their browser session so a user can be
authenticated better than the typical "username/password" fields? We'd use
ASP.NET 2.0 on the server side. I see a few miscellaneous tools in a google
search but nothing is jumping out at me. For example, one is not really
..NET compatible but you could work around that. Not great. We also need
something affordable. Considering that online banking sites are exploring
better options to prevent spyware from grabbing usernames/passwords, I was
hoping someone in this group might have done some research into this already
and have some concrete thoughts or suggestions.

User Group Etiquette: Please don't be the first to reply to this post
unless you have something truly helpful to add, else others will think I've
already been helped and not read the post.

"HK" <replywithingroup@notreal.com> wrote in
news:ZHhtf.6970$pE4.4961@tornado.socal.rr.com:

[quoted text, click to view]

Biometrics is still in its infancy - at least for the web.

As for keyfobs, take a look at RSA Security's SecureID authentication.
Also Entrust provides secure identity solutions.

SecurID needs a bit of fudging to work with ASP.NET:

http://sourceforge.net/projects/securid4dotnet/

A cheaper solution maybe to use client-side certificates. You send a
certificate to each user:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315588

So to authentication, a user will need a password + certificate.

But I guess a bigger question is - are you going to provide all your
customers keyfobs or biometric readers? This stuff doesn't come cheap.
Also, are you willing to deal with all the support issues? Perhaps you
should consider building better logging/monitoring tools - and force
users to reset there passwords often?

[quoted text, click to view]

Newsgroup (usenet)... not user group!

Anyhow, I don't think there is such an "etiquette" rule. What one
considers junk maybe gold for another? : ) You can always repost if you
don't like the answers!

--

HK:

You can have a look at our opensource two-factor authentication
solution:

http://www.wikidsystems.net (or
https://sourceforge.net/projects/wikid-twofactor/) and our commercial
site: http://www.wikidsystems.com.

We currently have a COM object for windows apps, but we're also working
on an ISAPI plugin.

In addition, the PC clients for mac, linux and windows can do mutual
authentication - i.e. host & user auth, which prevents MITM attacks. It
can run on a usb device. The commercial version supports wireless
devices - Blackberry, cell phones, Palm, WindowsMobile.